ASA 5505 SSH Access

I remotely manage an ASA 5505. In the past, I have been able to access the public interface via SSH. I upgraded the ASA from 8.0.3 to 8.0.4. Since the upgrade, I have not been able to access the ASA public (outside) interface with SSH. I do have ASDM access. From the ASDM, I see the SSH connection has the TCP 3way handshake then the ASA sends a reset. From the logs, I see a Built and Teardown. I have not found any other logs. I have zeroized and regenerated the RSA key. Still no SSH connection.

Re: ASA 5505 SSH Access

Sounds like you have already done what is recommended by regenerating RSA keys, have you tried connecting from a different host to rule out ssh client issues. I have also upgraded to 8.0.4 and have seen couple of strange things not exactly related to ssh but waiting for it to happen again to repor it in forum..

Do you still have this statement if using local user databse

aaa authentication ssh console LOCAL

also try a telnet test from the outside host see if you get back screen ok

Re: ASA 5505 SSH Access

Hi Rick,

I would also suggest configuring 'debug ssh 255' and watching the output that is generated when you try to connect via SSH. Another one that may shed some light is 'debug npshim 15'. I would recommend enabling these as 2 separate tests (i.e. 'debug ssh 255', test, 'undebug all', 'debug npshim 15', test, 'undebug all').

Take a look through that output and see if it has any explanation as to why the reset is being sent.

Re: ASA 5505 SSH Access

I tested one last time before leaving for the new site, SSH access failed. I went to the site. Connected to the internal network and tried to SSH to the ASA inside interface. SSH access worked. I was prompted to accepted the new key and I was in (I had generated a new RSA key the other day). I then remotely connected back to my home network. Connected to the ASA outside interface (SSH). It worked. Again, I was prompted to accept the new key and I was in.

Sadly I didn't capture any debug information. Thank you for the ideas.

We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...
view more